Cyber Security Risk Analyst

Job Description:

Scope of Work:

The Cyber Security Risk Analyst supports the client s Governance, Risk, and Compliance (GRC) program by performing detailed risk evaluations, reviewing policy exception requests, and managing risk tracking in the ServiceNow GRC platform.

Key Responsibilities:

• Conduct structured risk assessments, review internal controls, evaluate third-party security attestations, and support vulnerability and compliance activities.
• Collaborate with IT, legal, compliance, audit, and business teams to identify, assess, and manage cybersecurity risks across the organization.
• Review and process policy exception requests submitted through ServiceNow GRC by validating information, conducting risk evaluations, and preparing formal recommendations for approval or denial.
• Participate in vulnerability assessments, validate remediation efforts, contribute to audit preparation and remediation, and ensure clear documentation in ServiceNow GRC.
• Work closely with cross-functional teams to enhance the client s overall risk posture and ensure adherence to internal policies and external compliance mandates.

Qualifications:

• Demonstrated hands-on experience with Governance, Risk, Compliance tools such as ServiceNow, Riskonnect, LogicManager, RSA Archer.
• Strong understanding and application of cybersecurity risk management principles and control frameworks, including NIST SP 800-53, NIST RMF 800-37, ISO 27001, HIPAA Security Rule, PCI and FedRAMP.
• Demonstrated ability to conduct structured risk assessments, to include the analysis of compensating controls, residual risk determination, application of quantitative risk models, and providing formal recommendation regarding the acceptance or denial of exception requests.
• Demonstrated experience with the policy exception request process to include the intake/review of new exception requests to ensure completeness, accuracy, and consistency of the information provided, follow up with requestors to obtain missing or unclear information, performance of risk assessments, approval/denial recommendations and stakeholder communications regarding risk acceptance
• Strong technical foundation with the ability to interpret network diagrams, threat models, vulnerability scan results, and compliance assessment reports.
• Familiarity with risk qualification methodologies such as NIST, ISO 27005, Factor Analysis of Information Risk (FAIR).
• Demonstrated ability to evaluate third-party System and Organization Controls (SOC) reports specifically SOC 1 Type II and SOC 2 Type II for completeness, relevance, and control alignment.
• Proven ability to contribute to third-party risk assessments, compliance audits, and the evaluation of internal security controls.
• Proven track record in performing the duties of an Information Security Risk Analyst, including structured risk assessments and policy exception reviews.
• Track record of supporting policy exception management processes and risk tolerance assessments in complex regulatory environments

Certifications:

• CISSP (Certified Information Systems Security Professional)
• CRISC (Certified in Risk and Information Systems Control)
• GRCP (GRC Professional Certification)
• CISA (Certified Information Systems Auditor)
• CGRC (Certified in Governance, Risk, and Compliance)